Lightning Talks Q&A
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 28 | |
Author | ||
License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/61016 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | |
Genre |
NixCon 202221 / 28
10
12
20
21
22
24
25
26
27
00:00
MereologyBitDemonHeegaard splittingNumberMultiplication signRootComputer animation
00:35
DemonHash functionAreaComputing platformCASE <Informatik>Level (video gaming)Physical systemPasswordMiniDiscExecution unitDirectory serviceMetreDerivation (linguistics)MereologyData storage deviceRootTable (information)BackupQuicksortMeeting/Interview
Transcript: English(auto-generated)
00:00
So the question was whether the rootless Nix daemon walk was about splitting the Nix daemon between one part that had no root access and one other that had root access. So the answer is yes and no. The idea didn't have time to elaborate on that. So we want to do that for people who want to run the Nix daemon as a non-root user.
00:22
But because that's adding more complexity, because now you have two daemons to deal with, that makes the install even more complex than what it is already. And because also a number of people don't care about that. And in particular, if you're running Nix OS, having Nix run as a non-root user is a bit of a joke, because Nix is the thing that's setting up your whole system.
00:41
So even if it's not root, it can do whatever it wants. So the idea is that it can leverage an external daemon to do that. But it can also directly have the way it's working right now as part of the main daemon, in which case the main daemon still requires running as root.
01:23
So the question was whether uncached artifacts are somehow discoverable. And the answer is kind of yes. So I think you need to check in a derivation whether meter.hydra platforms is empty or if the license is unfree, if I recall it correctly.
01:54
Because not everything supports hash passwords. Sorry, the question was, what's the advantage of using systemd for secrets
02:01
versus hash passwords? Not everything supports hash passwords. And depending on what you're talking about, hash passwords might actually already be in the rainbow table. So that's sort of problematic. But there are many, many Nix OS modules that expect some form of secret to be given to them.
02:21
And they cannot take it as a hashed thing. So for user passwords, that's a thing, although it also says it's dangerous to do that in the documentation. But for like your resting backup password, for instance, you can't redo that. You have to make sure you don't end up with that password in your store one way or another.
03:01
So the question is, with systemd secrets, is there a way to manage ownership? Not really. Like the way you do it is when you have a systemd unit, you tell that unit to load that encrypted secrets and systemd mediates that access. So only that unit will have access to it. If you need it to be on disk somewhere, you basically create a unit that
03:21
will copy it on disk, like if you want it in your home directory or something, you'd create a unit that will copy it to your home directory. But that's not actually a very common use case unless you're talking about like home manager, which is a different area. Typically, you want secrets to be given to one of your demons.
03:44
I don't see any more hands being raised. I'll assume there's no more questions left. And one more applause, please, for the speakers. And then I would like to invite Ryan on stage again.
04:02
And the rest, please move on.